Requirements

Why this tech stack? PostgreSQL is the application’s source of truth. Redis provides fast caching and manages background job queues. Kubernetes enables reliable, scalable container orchestration. External Secrets keeps credentials in Secrets Manager (your security team’s preferred location) while making them available to pods.

Technology approval processes: Many enterprises have technology review boards or approved software lists. If PostgreSQL, Kubernetes, or Terraform aren’t already approved in your environment, initiate that process early—it can take weeks.

Which service is most resource-intensive? The evaluations service (confident-evals) consumes the most CPU during evaluation runs—it processes LLM outputs and computes metrics. If evaluations are slow, scale this service first before adding nodes.

EC2 service quotas can block deployment. AWS accounts have default limits on vCPUs. A typical deployment needs ~32 vCPUs (4 nodes × 8 vCPU). Production with autoscaling up to 8 nodes would need 64 vCPUs.

Check your quotas before starting:

• AWS Console → Service Quotas → Amazon EC2 → “Running On-Demand Standard instances”

If your limit is low (e.g., 32 vCPUs in a new account), request an increase—this can take hours to days.

Some organizations restrict which AWS services can be used. Service Control Policies (SCPs) or internal policies may prohibit certain services. Verify the services above are allowed in your AWS organization before proceeding.

Common restrictions that cause issues:

• NAT Gateway (some orgs require shared NAT infrastructure)
• KMS (some orgs require centrally managed keys)
• IAM role creation (some orgs require pre-provisioned roles)

Corporate proxies and firewalls: If your organization routes traffic through a proxy or inspects HTTPS, you may need to:

• Allowlist the domains above
• Configure proxy settings in the deployment
• Get certificate exceptions for HTTPS inspection

Network restrictions are a common cause of deployment failures that appear as timeouts or SSL errors.

Why so many permissions? Terraform creates a complete, self-contained infrastructure. It needs permission to create all the pieces. After deployment, ongoing operations need far fewer permissions.

IAM permissions are the #1 cause of deployment failures. Most organizations don’t grant broad permissions by default.

Options:

1. Use AdministratorAccess temporarily — Simplest for initial deployment. Restrict after success.
2. Request specific permissions — Work with your cloud security team to create a deployment role with the permissions above.
3. Have a platform team deploy — If you can’t get IAM permissions, have someone who does run Terraform.

IAM permission errors look like: Error: creating IAM Role: AccessDenied

These are estimates. Actual costs depend on:

• Region (us-east-1 is typically cheapest)
• Usage (more evaluations = more compute = higher cost)
• Data volume (RDS storage, S3 objects)
• Reserved instances (can reduce EC2/RDS costs 30-50%)

Use AWS Cost Explorer after deployment to track actual spending.